Getting Basic Authorization Header to stay permanent

[AndrewChenUoA]

I've followed the instructions at https://github.com/WordPress/application-passwords/wiki/Basic-Authorization-Header----Missing and can see that API requests are coming through to Wordpress and are authenticated. Great!

Unfortunately, then when I active/deactivate/modify any plugin, Wordpress overwrites the .htaccess file and wipes out the change. I believe this might be related to the issues described in #95. Maybe this is something that only happens with later versions of Wordpress.

My guess is that I need to write a Wordpress filter somewhere in a PHP file. I'm not that familiar with PHP, and would appreciate if anyone can provide clear instructions on how to do this? But also, if we are modifying PHP files to get this request in... why can't the Application Passwords plug-in do it as well?

[kasparsd]

Thank you for reporting the issue @AndrewChenUoA!

The way headers authentication headers are set can be different on each hosting environment so we can't really have a generic solution that would work for all setups. Nginx and Apache have different ways of doing that, for example and Nginx doesn't support dynamic configuration as Apache in .htaccess.

Could you try placing the .htaccess customizations outside the opening and closing # BEGIN WordPress comments?

Here is a great article explaining the lifecyle of .htaccess in WordPress:
https://perishablepress.com/stop-wordpress-htaccess/

[AndrewChenUoA]

Makes sense - I should have reported that I'm using Wordpress 5.3.2 on an Apache box with PHP 7.1.33.

I've just put the custom line above the #BEGIN WordPress line, and so far nothing has broken and it's still working. So I'll try that for a bit, and if it's still working and I remember I'll edit the Wiki.

Worth noting that the .htaccess says explicitly:

# The directives (lines) between `BEGIN WordPress` and `END WordPress` are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.

I guess my assumption was that we don't necessarily want to stop WordPress from updating .htaccess, just that it should include this line that seems to be important for Application Passwords to work when it does update it.

[kasparsd]

Thanks for bringing up that quote. Turns out there a way to actually append additional rewrite rules using the mod_rewrite_rules filter.

So I'm re-opening this issue to add the required headers automatically.

[velara3]

I'm getting the same message. I don't have .htaccess in my root directory (or I accidentally overwrote it).

Should I copy and paste the entire code block mentioned here? Or just add that line outside of the code block and see if WordPress creates or updates the .htaccess?

Update:
Actually, there was an .htaccess already but it was in the install directory (I had created one in the root directory).

Here are the contents:

# BEGIN WordPress
# The directives (lines) between `BEGIN WordPress` and `END WordPress` are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /blog/
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /blog/index.php [L]
</IfModule>

# END WordPress

NOTE: When I added the rewrite rule outside of the WordPress block after the last line it didn't work. When I put it directly above the first line it did work and the warning went away.

RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}]
# BEGIN WordPress

[georgestephanis]

Just noting that this functionality is added to the PR to implement this in Core.

https://github.com/WordPress/wordpress-develop/pull/540/files#diff-7e404b0606ee5356291d2c6e122fd00eR1512

WordPress/wordpress-develop@d45d946